I am trying to analyze SQL statements/expressions being sent from a client machine to a DB2 server. I can successfully get a general capture [from Wireshark app] but I have been unable to get any useful output ('readable' info). I figured that after HOURS of 'google-ing' this issue, I would have stumbled upon a YouTube vid or a forum entry that explains this wireshark-related process. However, coming up emtpy, it is becoming apparent that either Wireshark is not the tool to do this OR not a lot of people know HOW to accomplish this task with Wireshark. Any one have any suggestions on best tool to use for this task? asked 16 Jul '13, 17:58  mem5449 |
One Answer:
Wireshark is almost certainly the best tool for this task. A quick Google search found two articles (here and here) showing Wireshark being used to examine DB2 traffic, so it would seem to be a local issue on your end, unless your DB2 instances are not using DRDA. Can you explain what you do see in your capture, and if possible post the capture somewhere so we can examine it, e.g. CloudShark, Google Drive etc. answered 17 Jul '13, 02:04  grahamb ♦ |
Graham,
Thanks for your reply. I would love to post the capture so maybe someone could assist. However, since the DB2 results (from queries) contain customers phone numbers, my client is not willing to let me put that out on the web.
I had already seen those 2 links you provided. In fact I emailed the gent in the second link but have not heard back. After FURTHER Google searches, I learned that I will probably need to install a DB2 specific DISSECTOR into Wireshark to actually see the SQL statements in the packet capture.
Mike
Wireshark has had a dissector for DRDA since 2007. Apparently this is the protocol used by DB2 since version 8. The DRDA dissector is heuristic so DRDA traffic (as long as it's not encrypted e.g. by using SSL) should be visible in your capture.
As you are unable to post the capture, are you able to identify traffic to the port the server is listening on, and the protocols used on traffic to that port?